Liverpool Hope Logo Liverpool Hope Logo
Liverpool Hope Logo

General Data Protection Regulations

The General Data Protection Regulations (UK GDPR) and the Data Protection Act 2018 (DPA), plus guidance from the Information Commissioner's Office (ICO), provide the framework for data protection within the University.

Processing personal data

The Data Protection Principles will remain largely the same and the University will still need to ensure personal data is;

  • obtained fairly & lawfully
  • processed for specified & lawful purposes
  • adequate, relevant and not excessive
  • kept accurate and up to date
  • kept no longer than necessary
  • processed in accordance with the data subject’s rights
  • kept safe & secure
  • not transferred outside the EEA.

In addition to this, the GDPR will encourage a more proactive and documented approach to compliance. This means the University will have to keep records of the personal data it holds and how that data is processed. The University takes these statutory obligations seriously and will;

  • implement policies, procedures, processes and training to promote ‘data protection by design and by default’.
  • have appropriate contracts in place when outsourcing functions that involve the processing of personal data.
  • maintain records of the data processing that is carried out across the organisation.
  • document and report personal data breaches.
  • carry out Data Protection Impact Assessments on ‘high risk’ processing activities.

The University will continue to be regulated by the Information Commissioners Office (ICO) with regards to data protection.

Reporting a data protection breach

If you suspect there has been a breach, you must report it without delay to: Itshelp@hope.ac.uk using subject header: DATA BREACH

For further guidance on what you need to report and what to do if you discover a breach outside of core working hours, please see the University's GDPR Data Breach Procedure.

The University must report a breach of data to the Information Commissioners Office within 72 hours of discovering the breach. DO NOT DELAY INFORMING THE UNIVERSITY IF YOU SUSPECT A BREACH.

Further information

The Information Commissioners Office (ICO) is the UK's independent authority set up to uphold information rights in the public interest and data privacy for individuals.

There are also toolkits available to help staff working with personal data - Think.Check.Share.Communicating the Importance of Information Security to Staff

Guidance for university staff

Further information about how to ensure compliance with GDPR can be found in the Staff Guidance on Data Protection booklet

More practical advice about handling personal data is available in theData Protection Do's and Don'ts Guide

Data privacy should be considered as part of any project or activity which involves processing personal data to ensure data protection is a key consideration from the outset. A Data Protection Impact Assessment (DPIA) can be used as a tool to assist with this process:

Data Protection Impact Assessment Guidelines

Data Protection Impact Assessment (DPIA) Template

Retention schedules

The following schedules provide detailed information about how long the University keeps its data before disposing of it:

Student Administration Retention Schedule

Student Development and Wellbeing Retention Schedule

Finance (General) Retention Schedule

Health & Safety Retention Schedule

Faculty (School) Retention Schedule

Continuous Professional Development (CPD) Retention Schedule

Estates Retention Schedule

Student Admissions Retention Schedule

Vice Chancellor's Office Retention Schedule

Useful links

Data Protection Policy

Information Management Policy

Working from Home and GDPR - an Introduction